X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fuseradmin%2Fjackrabbit%2FJackrabbitUserAdminService.java;h=cc6d85b48587c4453b3cd00836860f9cff6881d5;hb=51be851d1253d4858f9b63c533df6bcfe76a393f;hp=d35f996f49e7e78b074119748fa5ed70d2545f8e;hpb=d12f4cda6ff7b1de242a19362c3680f30ccc5168;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java index d35f996f4..cc6d85b48 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/jackrabbit/JackrabbitUserAdminService.java @@ -1,5 +1,9 @@ package org.argeo.cms.internal.useradmin.jackrabbit; +import static org.argeo.cms.KernelHeader.ROLE_ADMIN; +import static org.argeo.cms.KernelHeader.USERNAME_ADMIN; +import static org.argeo.cms.KernelHeader.USERNAME_DEMO; + import java.util.ArrayList; import java.util.Arrays; import java.util.Iterator; @@ -22,12 +26,14 @@ import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.core.security.authentication.CryptedSimpleCredentials; import org.apache.jackrabbit.core.security.user.UserAccessControlProvider; import org.argeo.ArgeoException; +import org.argeo.cms.CmsException; import org.argeo.cms.KernelHeader; import org.argeo.cms.internal.auth.GrantedAuthorityPrincipal; import org.argeo.cms.internal.auth.JcrSecurityModel; import org.argeo.jcr.JcrUtils; import org.argeo.jcr.UserJcrUtils; import org.argeo.security.NodeAuthenticationToken; +import org.argeo.security.SecurityUtils; import org.argeo.security.UserAdminService; import org.argeo.security.jcr.JcrUserDetails; import org.argeo.security.jcr.NewUserDetails; @@ -50,35 +56,47 @@ public class JackrabbitUserAdminService implements UserAdminService, AuthenticationProvider { private final static String JACKR_ADMINISTRATORS = "administrators"; private final static String REP_PRINCIPAL_NAME = "rep:principalName"; + // private final static String REP_PASSWORD = "rep:password"; private Repository repository; private JcrSecurityModel securityModel; private JackrabbitSession adminSession = null; - private String superUserInitialPassword = "demo"; + private String initialPassword = "demo"; public void init() throws RepositoryException { Authentication authentication = SecurityContextHolder.getContext() .getAuthentication(); authentication.getName(); adminSession = (JackrabbitSession) repository.login(); - securityModel.init(adminSession); - Authorizable adminGroup = getUserManager().getAuthorizable( - KernelHeader.ROLE_ADMIN); + Authorizable adminGroup = getUserManager().getAuthorizable(ROLE_ADMIN); if (adminGroup == null) { - adminGroup = getUserManager().createGroup(KernelHeader.ROLE_ADMIN); + adminGroup = getUserManager().createGroup(ROLE_ADMIN); adminSession.save(); } + + // create superuser Authorizable superUser = getUserManager().getAuthorizable( - KernelHeader.USERNAME_ADMIN); + USERNAME_ADMIN); if (superUser == null) { - superUser = getUserManager().createUser( - KernelHeader.USERNAME_ADMIN, superUserInitialPassword); + superUser = getUserManager().createUser(USERNAME_ADMIN, + initialPassword); ((Group) adminGroup).addMember(superUser); - securityModel.sync(adminSession, KernelHeader.USERNAME_ADMIN, null); + securityModel.sync(adminSession, USERNAME_ADMIN, null); + adminSession.save(); + + // create demo user only at initialisation + Authorizable demoUser = getUserManager().getAuthorizable( + USERNAME_DEMO); + if (demoUser != null) + throw new CmsException("There is already a demo user"); + demoUser = getUserManager().createUser(USERNAME_DEMO, + initialPassword); + securityModel.sync(adminSession, USERNAME_DEMO, null); adminSession.save(); } + securityModel.init(adminSession); } public void destroy() throws RepositoryException { @@ -116,20 +134,33 @@ public class JackrabbitUserAdminService implements UserAdminService, @Override public void updateUser(UserDetails userDetails) { try { - User user = (User) getUserManager().getAuthorizable( - userDetails.getUsername()); + String username = userDetails.getUsername(); + User user = (User) getUserManager().getAuthorizable(username); if (user == null) throw new ArgeoException("No user " + userDetails.getUsername()); // new password String newPassword = userDetails.getPassword(); if (!newPassword.trim().equals("")) { - SimpleCredentials sp = new SimpleCredentials( - userDetails.getUsername(), newPassword.toCharArray()); - CryptedSimpleCredentials credentials = (CryptedSimpleCredentials) user - .getCredentials(); - if (!credentials.matches(sp)) - user.changePassword(new String(newPassword)); + if (newPassword.startsWith("{SHA-256}")) { + // Already hashed password + throw new CmsException("Cannot import hashed password"); + // Value v = adminSession.getValueFactory().createValue( + // newPassword); + // user.setProperty(REP_PASSWORD, v); + // TODO find a way to deal w/ protected property + // see + // http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/user/UserImporter.html + } else { + SimpleCredentials sp = new SimpleCredentials( + userDetails.getUsername(), + newPassword.toCharArray()); + CryptedSimpleCredentials credentials = (CryptedSimpleCredentials) user + .getCredentials(); + + if (!credentials.matches(sp)) + user.changePassword(new String(newPassword)); + } } List roles = new ArrayList(); @@ -282,7 +313,10 @@ public class JackrabbitUserAdminService implements UserAdminService, Group group = (Group) groups.next(); String groupName = group.getPrincipal().getName(); String role = groupNameToRole(groupName); - if (role != null && !role.equals(KernelHeader.ROLE_GROUP_ADMIN)) + if (role != null + && !role.equals(KernelHeader.ROLE_GROUP_ADMIN) + && !(role.equals(KernelHeader.ROLE_ADMIN) && !SecurityUtils + .hasCurrentThreadAuthority(KernelHeader.ROLE_ADMIN))) res.add(role); } return res;